Fix denial of service - memory corruption.
[Samba.git] / source3 / lib / packet.c
blob8d815c995153afaa0c1212a91b32b0cd8e04a6f0
1 /*
2 Unix SMB/CIFS implementation.
3 Packet handling
4 Copyright (C) Volker Lendecke 2007
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 #include "includes.h"
22 struct packet_context {
23 int fd;
24 DATA_BLOB in, out;
28 * Close the underlying fd
30 static int packet_context_destructor(struct packet_context *ctx)
32 return close(ctx->fd);
36 * Initialize a packet context. The fd is given to the packet context, meaning
37 * that it is automatically closed when the packet context is freed.
39 struct packet_context *packet_init(TALLOC_CTX *mem_ctx, int fd)
41 struct packet_context *result;
43 if (!(result = TALLOC_ZERO_P(mem_ctx, struct packet_context))) {
44 return NULL;
47 result->fd = fd;
48 talloc_set_destructor(result, packet_context_destructor);
49 return result;
53 * Pull data from the fd
55 NTSTATUS packet_fd_read(struct packet_context *ctx)
57 int res, available;
58 size_t new_size;
59 uint8 *in;
61 res = ioctl(ctx->fd, FIONREAD, &available);
63 if (res == -1) {
64 DEBUG(10, ("ioctl(FIONREAD) failed: %s\n", strerror(errno)));
65 return map_nt_error_from_unix(errno);
68 SMB_ASSERT(available >= 0);
70 if (available == 0) {
71 return NT_STATUS_END_OF_FILE;
74 new_size = ctx->in.length + available;
76 if (new_size < ctx->in.length) {
77 DEBUG(0, ("integer wrap\n"));
78 return NT_STATUS_NO_MEMORY;
81 if (!(in = TALLOC_REALLOC_ARRAY(ctx, ctx->in.data, uint8, new_size))) {
82 DEBUG(10, ("talloc failed\n"));
83 return NT_STATUS_NO_MEMORY;
86 ctx->in.data = in;
88 res = recv(ctx->fd, in + ctx->in.length, available, 0);
90 if (res < 0) {
91 DEBUG(10, ("recv failed: %s\n", strerror(errno)));
92 return map_nt_error_from_unix(errno);
95 if (res == 0) {
96 return NT_STATUS_END_OF_FILE;
99 ctx->in.length += res;
101 return NT_STATUS_OK;
104 NTSTATUS packet_fd_read_sync(struct packet_context *ctx,
105 struct timeval *timeout)
107 int res;
108 fd_set r_fds;
110 if (ctx->fd < 0 || ctx->fd >= FD_SETSIZE) {
111 errno = EBADF;
112 return map_nt_error_from_unix(errno);
115 FD_ZERO(&r_fds);
116 FD_SET(ctx->fd, &r_fds);
118 res = sys_select(ctx->fd+1, &r_fds, NULL, NULL, timeout);
120 if (res == 0) {
121 DEBUG(10, ("select timed out\n"));
122 return NT_STATUS_IO_TIMEOUT;
125 if (res == -1) {
126 DEBUG(10, ("select returned %s\n", strerror(errno)));
127 return map_nt_error_from_unix(errno);
130 return packet_fd_read(ctx);
133 bool packet_handler(struct packet_context *ctx,
134 bool (*full_req)(const uint8_t *buf,
135 size_t available,
136 size_t *length,
137 void *priv),
138 NTSTATUS (*callback)(uint8_t *buf, size_t length,
139 void *priv),
140 void *priv, NTSTATUS *status)
142 size_t length;
143 uint8_t *buf;
145 if (!full_req(ctx->in.data, ctx->in.length, &length, priv)) {
146 return False;
149 if (length > ctx->in.length) {
150 *status = NT_STATUS_INTERNAL_ERROR;
151 return true;
154 if (length == ctx->in.length) {
155 buf = ctx->in.data;
156 ctx->in.data = NULL;
157 ctx->in.length = 0;
158 } else {
159 buf = (uint8_t *)TALLOC_MEMDUP(ctx, ctx->in.data, length);
160 if (buf == NULL) {
161 *status = NT_STATUS_NO_MEMORY;
162 return true;
165 memmove(ctx->in.data, ctx->in.data + length,
166 ctx->in.length - length);
167 ctx->in.length -= length;
170 *status = callback(buf, length, priv);
171 return True;
175 * How many bytes of outgoing data do we have pending?
177 size_t packet_outgoing_bytes(struct packet_context *ctx)
179 return ctx->out.length;
183 * Push data to the fd
185 NTSTATUS packet_fd_write(struct packet_context *ctx)
187 ssize_t sent;
189 sent = send(ctx->fd, ctx->out.data, ctx->out.length, 0);
191 if (sent == -1) {
192 DEBUG(0, ("send failed: %s\n", strerror(errno)));
193 return map_nt_error_from_unix(errno);
196 memmove(ctx->out.data, ctx->out.data + sent,
197 ctx->out.length - sent);
198 ctx->out.length -= sent;
200 return NT_STATUS_OK;
204 * Sync flush all outgoing bytes
206 NTSTATUS packet_flush(struct packet_context *ctx)
208 while (ctx->out.length != 0) {
209 NTSTATUS status = packet_fd_write(ctx);
210 if (!NT_STATUS_IS_OK(status)) {
211 return status;
214 return NT_STATUS_OK;
218 * Send a list of DATA_BLOBs
220 * Example: packet_send(ctx, 2, data_blob_const(&size, sizeof(size)),
221 * data_blob_const(buf, size));
223 NTSTATUS packet_send(struct packet_context *ctx, int num_blobs, ...)
225 va_list ap;
226 int i;
227 size_t len;
228 uint8 *out;
230 len = ctx->out.length;
232 va_start(ap, num_blobs);
233 for (i=0; i<num_blobs; i++) {
234 size_t tmp;
235 DATA_BLOB blob = va_arg(ap, DATA_BLOB);
237 tmp = len + blob.length;
238 if (tmp < len) {
239 DEBUG(0, ("integer overflow\n"));
240 va_end(ap);
241 return NT_STATUS_NO_MEMORY;
243 len = tmp;
245 va_end(ap);
247 if (len == 0) {
248 return NT_STATUS_OK;
251 if (!(out = TALLOC_REALLOC_ARRAY(ctx, ctx->out.data, uint8, len))) {
252 DEBUG(0, ("talloc failed\n"));
253 return NT_STATUS_NO_MEMORY;
256 ctx->out.data = out;
258 va_start(ap, num_blobs);
259 for (i=0; i<num_blobs; i++) {
260 DATA_BLOB blob = va_arg(ap, DATA_BLOB);
262 memcpy(ctx->out.data+ctx->out.length, blob.data, blob.length);
263 ctx->out.length += blob.length;
265 va_end(ap);
267 SMB_ASSERT(ctx->out.length == len);
268 return NT_STATUS_OK;
272 * Get the packet context's file descriptor
274 int packet_get_fd(struct packet_context *ctx)
276 return ctx->fd;